The Australian government announced its ‘Ransomware Action Plan’ that introduces criminal offences, tougher penalties, and a mandatory reporting regime, as the administration takes action to protect individuals, businesses, and critical infrastructure from ransomware attacks.
The Ransomware Action Plan sets out the Australian government’s immediate strategic approach to tackle the threat posed by ransomware, and builds on the overarching cybersecurity architecture introduced in the 2016 and 2020 Cyber Security Strategies, and is designed around the framework of the ‘National Strategy to Fight Transnational, Serious and Organised Crime.’
Built on three objectives delivering initiatives in the immediate and mid-term, the Ransomware Action Plan seeks through its ‘Prepare and Prevent’ module to build Australia’s resilience to ransomware attacks. Its ‘Respond and Recover’ module will focus on strengthening responses to ransomware attacks by ensuring support is available to victims, and ‘Disrupt and Deter’ will work towards disrupting cybercriminals through deterrence and offensive action by strengthening Australia’s criminal law regime and increasing the likelihood of ransomware gangs being caught.
Under the Ransomware Action Plan announced Wednesday, the government will introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cybercriminals who use ransomware face increased maximum penalties, if caught, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals. The administration will also introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognizing the significant impact on assets that deliver essential services to Australians.
The Australian government will also criminalize the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data or publicly release a victim’s sensitive data, face increased penalties. The government will also criminalize the buying or selling of malware to undertake computer crimes, and modernize legislation to ensure that cybercriminals won’t be able to realize and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cybercriminals’ financial transactions in cryptocurrency.
“Ransomware gangs have attacked businesses, individuals and critical infrastructure right across the country,” Minister for Home Affairs Karen Andrews said in a media release. “Stealing and holding private and personal information for ransom costs victims time and money, interrupting lives and the operations of small businesses. That’s why the Morrison Government is taking action to disrupt, pursue and prosecute cybercriminals. Our tough new laws will target this online criminality, and hit cybercrooks where it hurts most – their bank balances,” she added.
“We believe that greater sanctions and an increase in government and industry cooperation can play a vital role in keeping Australia safe, and we look forward to more detail being released on the plan,” Scott McKinnel, ANZ country manager at Tenable, said in an emailed statement.
“Having said that, businesses can’t rely on the government alone to protect them. It’s equally important for businesses to take steps to minimise threats including fixing unpatched vulnerabilities, implementing strong security controls for remote desktop protocol, and ensuring endpoint security is up-to-date – especially in remote environments,” McKinnel added.
Like its U.S. counterparts, Australia will also develop a mandatory ransomware incident reporting regime to enhance the administration’s understanding of the threat and enable better support to victims of ransomware attacks. It will be designed to benefit, not burden small businesses, with businesses with a turnover of over US$10 million per annum expected to be subject to the regime.
The Ransomware Action Plan also makes clear that the Australian Government does not condone ransom payments to cybercriminals, as there is no guarantee that the hackers will restore information, stop their attacks, and not leak or sell stolen data. The scheme also follows the establishment of a new Australian Federal Police-led multi-agency operation that will target ransomware attacks that are linked directly to sophisticated organized crime groups operating in Australia and overseas. It will also share intelligence directly with the Australian Cyber Security Centre as they utilize their disruptive capabilities offshore.
The move by the Australian government follows up on last month’s data that showed that all sectors of the Australian economy were affected by the impacts of cybercrime and other malicious cyber activity in the latest financial year. Government agencies at all levels, large organizations, critical infrastructure providers, small to medium enterprises, families and individuals were all targeted over the reporting period, which was predominantly by criminals or state hackers. The COVID-19 pandemic and the shift to remote work also provided new opportunities to both scammers and financially driven thieves.
The measures rolled out by the American and Australian administrations to defend and safeguard their critical infrastructure comes in the wake of rising cybersecurity threats and attacks on these vital frameworks. Singapore also released last week its Operational Technology Cybersecurity Competency Framework (OTCCF) that guides stakeholders to equip professionals in performing their jobs in the OT industry sectors.
The OTCCF intends to guide OT and IT system owners to refer to the OT cybersecurity capabilities required to attract the right people, train them adequately, and map out their career pathways. It seeks to direct training providers to the various technical competencies required by different job roles and be guided to develop ‘best-in-class’ courses and certifications that cater to local training needs and enable OT professionals or potential job seekers to identify skill-sets for cross- and up-skilling for a meaningful career in the OT cybersecurity domain.